Stephen Strowes | Nokia © 2008 Company Confidential ICE, TURN and STUN Stephen Strowes 31/Oct/2008
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, TURN and STUN
Stephen Strowes
31/Oct/2008
Stephen Strowes | Nokia © 2008 Company Confidential
NATs
• NAT Terminology• Full cone• Restricted cone• Port-restricted cone• Symmetric
• Guarantees...• Packet rewriting (ALGs)...
NATClient NAT Client
INVITESend media to 192.168.1.2:4321
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Interactive Connectivity Establishment
• ICE is a mechanism to permit media streams to flow between two peers in a NATed environment
• An extension to SIP, it can be used by other signalling mechanisms
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Interactive Connectivity Establishment
• http://tools.ietf.org/html/draft-ietf-mmusic-ice• Really high-level of how ICE-enabled peers enable comms:
1. Discover information about network, be pessimistic2. Exchange information about network (signalling)3. Systematically probe possibilities to find useful connection
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Interactive Connectivity Establishment
• http://tools.ietf.org/html/draft-ietf-mmusic-ice• Allows hosts in same NAT realm to communicate directly...
• ... and also ...• Allows hosts behind symmetric NATs to communicate via a relay• And variations in-between...
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Terminology
• ICE deals with components• 1 component per media stream
• e.g., 1 for RTP, 1 for RTCP• Each media stream may nominate multiple candidate addresses
• Candidate: A transport address (ip:port) which may offer reachability for data incoming from an opposing peer
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Sequence of Events
• In a little more detail:1. Candidate gathering
● STUN● TURN
2. Prioritisation3. Exchange4. Connectivity checks5. Coordination6. Communication
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Candidate Gathering
• Uses STUN & TURN• Each host possibly has multiple candidates...
• Host• Server reflexive• Relay• Peer reflexive (later...)
Client
NAT
STUN Server
Stephen Strowes | Nokia © 2008 Company Confidential
STUN: Session Traversal Utilities for NAT
• http://tools.ietf.org/html/draft-ietf-behave-rfc3489bis• Returns the public-side of the binding• XOR-mapped address
Client
NAT
STUN Server
STU
N B
ind
Req
uest
Stephen Strowes | Nokia © 2008 Company Confidential
STUN: Session Traversal Utilities for NAT
• http://tools.ietf.org/html/draft-ietf-behave-rfc3489bis• Returns the public-side of the binding• XOR-mapped address
Client
NAT
STUN Server
STU
N B
ind
Res
pons
exo
r(so
urce
ip, s
ourc
e po
rt)
Stephen Strowes | Nokia © 2008 Company Confidential
TURN: Traversal Using Relays around NAT
• http://tools.ietf.org/html/draft-ietf-behave-turn• Allocations
• Allocate a socket on the relay...• Permissions
• Inform relay which locations it should accept packets from for relaying back to client
Client
NAT
TURN relay
TUR
N A
lloca
te R
eque
st
Stephen Strowes | Nokia © 2008 Company Confidential
TURN: Traversal Using Relays around NAT
Client
NAT
TURN relay
TUR
N A
lloca
te R
espo
nse
xor(
rela
y IP
, rel
ay p
ort)
• http://tools.ietf.org/html/draft-ietf-behave-turn• Allocations
• Allocate a socket on the relay...• Permissions
• Inform relay which locations it should accept packets from for relaying back to client
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Candidate Gathering
• Uses STUN & TURN• Possibly multiple candidates...
• Relay• Server reflexive• Host• Peer reflexive (later...)
Client
NAT
STUN server
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Prioritisation
• prio = 224(type_pref) + 28(local_pref) + (256 – component_ID)• Type preference:
• 0 Relayed candidates• 100 Server reflexive candidates• 110 Peer reflexive candidates• 126 Host candidates
• Local preference:• Preference by interface, by STUN server...
• Component ID:• As described (RTP=1; RTCP=2)
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Candidate Exchange
• Signalling carries the gathered candidates• In SIP, INVITE & response
• SDP carries the candidates for ICE usage...
L
NAT
STUN server
R
NAT
STUN serverSIP proxy
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Candidate Exchange
• Signalling carries the gathered candidates• In SIP, INVITE & response
• SDP carries the candidates for ICE usage...
a=candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ hosta=candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx raddr 10.0.1.1 rport 8998
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Candidate Exchange
Foundation
Component IDTransport type
PriorityTransport addr
TypeRelated address & port
• Signalling carries the gathered candidates• In SIP, INVITE & response
• SDP carries the candidates for ICE usage...
a=candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ hosta=candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx raddr 10.0.1.1 rport 8998
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Candidate Exchange
• Signalling carries the gathered candidates• SIP response carrying opposing peer's candidate set
L
NAT
STUN server
R
NAT
STUN serverSIP proxy
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Pair the local candidates off against the remote candidates• Calculate pair priority as:
• 232min(PL,P
R) + 2max(P
L,P
R) + (P
L>P
R?1:0)
• Order the list by priority...• Prune duplicates
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Pair the local candidates off against the remote candidates
--SrflxL --
----
SrflxL ------
SrflxL ----
HostL HostRHostR
RelayL HostRHostL SrflxR
SrflxRRelayL SrflxRHostL RelayR
RelayRRelayL RelayR
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Prioritise and order candidates...• 232min(P
L,P
R) + 2max(P
L,P
R) + (P
L>P
R?1:0)
126-126 --100-126 SrflxL --
0-126 --100-126 --100-100 SrflxL --
0-100 --0-126 --0-100 SrflxL --
0-0 --
HostL HostRHostR
RelayL HostRHostL SrflxR
SrflxRRelayL SrflxRHostL RelayR
RelayRRelayL RelayR
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Prioritise and order candidates...• 232min(P
L,P
R) + 2max(P
L,P
R) + (P
L>P
R?1:0)
126-126 --100-126 SrflxL --100-126 --100-100 SrflxL --
0-126 --0-126 --0-100 --0-100 SrflxL --
0-0 --
HostL HostRHostR
HostL SrflxRSrflxR
RelayL HostRHostL RelayRRelayL SrflxR
RelayRRelayL RelayR
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Prune duplicates...• Replace local candidates with their bases
126-126 --100-126 SrflxL --100-126 --100-100 SrflxL --
0-126 --0-126 --0-100 --0-100 SrflxL --
0-0 --
HostL HostRHostR
HostL SrflxRSrflxR
RelayL HostRHostL RelayRRelayL SrflxR
RelayRRelayL RelayR
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Prune duplicates...• Replace local candidates with their bases
126-126 --100-126 --100-126 --100-100 --
0-126 --0-126 --0-100 --0-100 --
0-0 --
HostL HostRHostL HostRHostL SrflxRHostL SrflxRRelayL HostRHostL RelayRRelayL SrflxRHostL RelayRRelayL RelayR
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Prune duplicates...• Remove duplicates, retain highest priority duplicate
126-126 --100-126 --
0-126 --0-126 --0-100 --
0-0 --
HostL HostRHostL SrflxRRelayL HostRHostL RelayRRelayL SrflxRRelayL RelayR
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Series of STUN requests and responses between these pairs• Checks are paced
• 1 every 20 ms• Frozen Algorithm• Normal checks (following prioritisation)• Triggered checks (optimisation)
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Series of STUN requests and responses between these pairs
L
NAT
STUN server
R
NAT
STUN server
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
L
NAT
STUN server
R
NAT
STUN server
• Series of STUN requests and responses between these pairs
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
L
NAT
STUN server
R
NAT
STUN server
• Series of STUN requests and responses between these pairs
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
L
NAT
STUN server
R
NAT
STUN server
• Series of STUN requests and responses between these pairs
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
L
NAT
STUN server
R
NAT
STUN server
• Series of STUN requests and responses between these pairs
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
L
NAT
STUN server
R
NAT
STUN server
• Series of STUN requests and responses between these pairs
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• ... and host R does the same ...
L
NAT
STUN server
R
NAT
STUN server
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Frozen Algorithm
• Generally, have multiple components (RTP, RTCP...), each with their own candidate sets
• ICE assumes that similar candidate pairs between components will exhibit similar characteristics• Initially all pairs are frozen; highest priority pair “unfrozen” and checked• If a STUN request comes in from one of the frozen pairs, unfreeze it such that it's the next check to be dispatched (triggered check)
Stephen Strowes | Nokia © 2008 Company Confidential
R
STUN RequestSTUN Request
STUN Response[xor(source IP, source port)]STUN Response[xor(source IP, source port)]
ICE, Connectivity Checks
L
• 4-way handshake
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Connectivity Checks
• Peer Reflexive candidate discovery:• A STUN check through a symmetric NAT will reveal to the receiving peer a
new candidate address
RNATL
STUN Request
!
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Coordination
• Signal completion (achieved directly between peers)• Regular Nomination by controlling peer
• Re-send a STUN check, with a flag set• Aggressive nomination by controlling peer
• Set flag in all STUN checks, such that the first working candidate is chosen
Stephen Strowes | Nokia © 2008 Company Confidential
ICE, Communication
*joy*
Stephen Strowes | Nokia © 2008 Company Confidential
Security Mechanisms
• TURN:• Long-term credentials
• Digest challenge• Connectivity checks:
• Short-term credentials• Time-limited
Stephen Strowes | Nokia © 2008 Company Confidential
MIMP: Mobile Internet Measurement Platform
Stephen Strowes | Nokia © 2008 Company Confidential
MIMP: Mobile Internet Measurement Platform
• Aim is to support multiple different kinds of tests...• Collect data from cellphones (etc...) in the real-world• Server hardware located at Nokia; fit.nokia.com
Stephen Strowes | Nokia © 2008 Company Confidential
MIMP: Mobile Internet Measurement Platform
• Downloadable client for Symbian• Updateable• Presents a list of tests to run
• Test-specific configuration via HTTP• On test completion, submit results over HTTP
Stephen Strowes | Nokia © 2008 Company Confidential
MIMP: Mobile Internet Measurement Platform
Stephen Strowes | Nokia © 2008 Company Confidential
MIMP: ICE
• SIP server (OpenSER), STUN server/TURN relay (turnserver)• ICE implementation: pjnath (part of the pjsip project)
• http://pjsip.org/• Symbian client grabs test configuration, e.g.,
• SIP username & password• STUN/TURN server• SIP agent to contact (located on our machine)• Submits logged results to known location over HTTP
• Server side of comms also logs ICE interactions and submits• Post-processing will take place to generate pretty pictures, graphs, etc
Stephen Strowes | Nokia © 2008 Company Confidential
ICE: What don't we know?
• Actual quantifiable data on success rates for ICE• These protocols, or the ideas behind them, are being used in the real world, but perhaps they need tweaking
• Performance of connectivity checks• Analysis of quality of chosen candidates
• ... and then there's the possibility of collecting information on the type of NATs widely deployed in the Internet
Stephen Strowes | Nokia © 2008 Company Confidential
Resources
• ICE: http://tools.ietf.org/html/draft-ietf-mmusic-ice• STUN: http://tools.ietf.org/html/draft-ietf-behave-rfc3489bis• TURN: http://tools.ietf.org/html/draft-ietf-behave-turn